Overview

The OWASP (Open Web Application Security Project) ModSecurity™ CRS (Core Rule Set) is a set of rules that Apache's ModSecurity™ module can use to help protect your server. While these rules do not make your server impervious to attacks, they greatly increase the amount of protection for your web applications.

About OWASP

Why should I use the OWASP ModSecurity rule set?

Protection from insecure web application design — ModSecurity rule sets can provide a layer of protection for web applications such as WordPress, phpBB, or other types of web applications. It can potentially protect against vulnerabilities in out-of-date web applications that protect against vulnerabilities in unpatched, out-of-date applications. If the developer of an application makes a security mistake, ModSecurity may block a security attack before it can access the vulnerable application.

Protection against operating system level attack — ModSecurity rule sets can protect against attacks that exploit the operating system of your server. For example, in 2014, there was a security flaw in the Bash shell program that Linux servers use. Security experts created ModSecurity rules to disallow the use of the exploit thought Apache. Server administrators used these ModSecurity rules and added additional security to their system until the release of a security patch for Bash shell.

Protect against generalized malicious traffic — Some of the security threats that server administrators face may not directly attack a program or application on your server. DoS (Denial of Service) attacks, for example, are common attacks. You can reduce the impact of such malicious traffic through the use of ModSecurity rules.

What are the risks?

As with any mechanism that blocks web traffic, OWASP rules could block legitimate traffic (false positives). While both OWASP and cPanel, Inc. aim to curate the OWASP rule set to reduce the potential for false positives, the rule set may block legitimate traffic. Review theModSecurity Toolsinterface (WHM >> Home >> Security Center >> ModSecurity™ Tools ) routinely to evaluate the traffic that the rule set blocks and whether these blocks affect legitimate users.

How do I use the OWASP ModSecurity rule set?

Select the ModSecurity (mod_security) Apache module when you use EasyApache 4interface (WHM >> Home >> Software >> EasyApache 4). After you install the ModSecurity Apache module, use the ModSecurity Vendors interface (WHM >> Home >> Security Center >> ModSecurity™ Vendors) to install the OWASP rule set. When you enable the configuration files, the rules become active. To review the logged notifications and blocked traffic from these rules, use theModSecurity Toolsinterface (WHM >> Home >> Security Center >> ModSecurity™ Tools).

How do I report a possible issue with an OWASP ModSecurity rule?

You can report a OWASP rule with which you find a problem, perform the following steps:

REQUEST-920-PROTOCOL-ENFORCEMENT

The rules in this configuration file enable enforcement of certain HTTP restrictions on invalid or unusable data sent from clients. Block these request to help prevent the exploitation of a web application that did not expect the request.

REQUEST-921-PROTOCOL-ATTACK

The configuration file path:

modsec_vendor_configs/OWASP/rules/REQUEST-921-PROTOCOL-ATTACK.conf

The rules in this configuration file enable specific checks for requests to mitigate HTTP Request Smuggling and Response Splitting attacks. These attacks can cause HTTP servers and proxies to mistakenly accept or return data that hide from other checks or rules due to a false Content-Length.

REQUEST-930-APPLICATION-ATTACK-LFI

The rules in this configuration file enable protection against Local File Inclusion (LFI) attacks. During a LFI attack, a malicious client causes an application to serve or otherwise process a file from the local server's file system. These local server files would not normally be publicly accessible.

REQUEST-931-APPLICATION-ATTACK-RFI

The rules in this configuration file enable protection against RFI (Remote File Inclusion) attacks. During a RFI attack, a malicious client exploits the server's software to embed a client-specified file into the content of the page.

Note:

This kind of attack executes malicious code either on the server or client side, based on the nature of the vulnerability.

REQUEST-941-APPLICATION-ATTACK-XSS

The rules in this configuration file enable protection against XSS (cross-site scripting) attacks. During an XSS attack, the attacker injects scripts into web pages that other users view. These may do damage to either the server or to the viewer of the web page, or they allow a user to acquire and exploit other users' accounts or web sessions.

REQUEST-942-APPLICATION-ATTACK-SQLI

The rules in this configuration file enable protection against SQL injection attacks. During a SQL injection attack, a client is able to pass a specially crafted HTTP request to the server. This HTTP request causes the server to mistakenly execute a malicious query.

REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION

The rules in this configuration file enable protection against Session Fixation attacks. During a Session Fixation attack, attackers to force a user's session ID to be predictable. With the session ID, the attacker can take over a session that belongs to another user.

REQUEST-20-PROTOCOL-ENFORCEMENT

The rules in this configuration file enable enforcement of certain HTTP restrictions on invalid or unusable data sent from clients. Block these request to help prevent the exploitation of a web application that did not expect the request.

REQUEST-21-PROTOCOL-ATTACK

The configuration file path:

modsec_vendor_configs/OWASP/rules/REQUEST-21-PROTOCOL-ATTACK.conf

The rules in this configuration file enable specific checks for requests to mitigate HTTP Request Smuggling and Response Splitting attacks. These attacks can cause HTTP servers and proxies to mistakenly accept or return data that hide from other checks or rules due to a false Content-Length.

REQUEST-30-APPLICATION-ATTACK-LFI

The rules in this configuration file enable protection against Local File Inclusion (LFI) attacks. During a LFI attack, a malicious client causes an application to serve or otherwise process a file from the local server's file system. These local server files would not normally be publicly accessible.

REQUEST-31-APPLICATION-ATTACK-RFI

The rules in this configuration file enable protection against RFI (Remote File Inclusion) attacks. During a RFI attack, a malicious client exploits the server's software to embed a client-specified file into the content of the page.

Important:

You must disable the rules in this configuration file if you wish to add redirects in cPanel's Redirectsinterface (cPanel >> Home >> Domains >> Redirects).

Note:

This kind of attack executes malicious code either on the server or client side, based on the nature of the vulnerability.

REQUEST-41-APPLICATION-ATTACK-XSS

The rules in this configuration file enable protection against XSS (cross-site scripting) attacks. During an XSS attack, the attacker injects scripts into web pages that other users view. These may do damage to either the server or to the viewer of the web page, or they allow a user to acquire and exploit other users' accounts or web sessions.

REQUEST-42-APPLICATION-ATTACK-SQLI

The rules in this configuration file enable protection against SQL injection attacks. During a SQL injection attack, a client is able to pass a specially crafted HTTP request to the server. This HTTP request causes the server to mistakenly execute a malicious query.

REQUEST-43-APPLICATION-ATTACK-SESSION-FIXATION

The rules in this configuration file enable protection against Session Fixation attacks. During a Session Fixation attack, attackers force a user's session ID to be predictable. With the session ID, the attacker can take over a session that belongs to another user.

REQUEST-49-BLOCKING-EVALUATION

The configuration file path:

modsec_vendor_configs/OWASP/rules/REQUEST-49-BLOCKING-EVALUATION.conf

The rules in this configuration file blocks traffic that various other configuration files request.

Warning:

Other rules in the rule set depend on this configuration file to block incoming attacks. If you disable this configuration file, other rules will detect, but not block, incoming attacks.

RESPONSE-50-DATA-LEAKAGES-IIS

The configuration file path:

modsec_vendor_configs/OWASP/rules/RESPONSE-50-DATA-LEAKAGES-IIS.conf

The rules in this configuration file enable protection against data leakages that relate to the Microsoft IIS web server.

Note:

This rule set is only needed if your Apache server processes proxy requests to an IIS server or IIS-hosted application.

RESPONSE-50-DATA-LEAKAGES-JAVA

The configuration file path:

modsec_vendor_configs/OWASP/rules/RESPONSE-50-DATA-LEAKAGES-JAVA.conf

The rule in this configuration file attempts to prevent that exposure of details about server-side Java applications to the client.

Note:

For example, if a Java application returns an exception or raw code to a web page, these rules help prevent the display of the errors or raw code.

RESPONSE-50-DATA-LEAKAGES-PHP

The configuration file path:

modsec_vendor_configs/OWASP/rules/RESPONSE-50-DATA-LEAKAGES-PHP.conf

The rules in this configuration file enable protection against PHP-related data and source code leakage from the server to the client.

Note:

For example, a PHP application could produce an error that reveals internal implementation details about the application. This protection reduces the chance that users will see these details.

RESPONSE-50-DATA-LEAKAGES

The configuration file path:

modsec_vendor_configs/OWASP/rules/RESPONSE-50-DATA-LEAKAGES.conf

The rules in this configuration file enable protection against certain types of data leakages from the server to the client.

Note:

For example, these rules prevent directory listings.

RESPONSE-51-DATA-LEAKAGES-SQL

The configuration file path:

modsec_vendor_configs/OWASP/rules/RESPONSE-51-DATA-LEAKAGES-SQL.conf

The rules in this configuration file enable protection against the leakage of inappropriate types of internal database information from the server to clients.

Note:

For example, if a SQL syntax error occurs, these rules will hide it. This protection reduces the chance that users will see the internal SQL errors of the application.

cPanel, WebHost Manager, and WHM are registered trademarks of cPanel, Inc. for providing its computer software that facilitates the management and configuration of Internet web servers. ®2018 All rights reserved.